■vSRX-HAからJessieにNTP/SNMP/SNMP Trap/DNSクライアント/syslogを転送してみる。
$ lsb_release -d
Description: Debian GNU/Linux 8.2 (jessie)
labunix@vSRX-node0> show version
node0:
--------------------------------------------------------------------------
Hostname: vSRX-node0
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D20.7]
node1:
--------------------------------------------------------------------------
Hostname: vSRX-node1
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D20.7]
{secondary:node0}
■NTPの時刻同期
上位NTPサーバ設定と下位NTPへの問い合わせの設定
server -4 172.31.31.252 iburst
restrict -4 172.16.76.100 kod notrap
restrict -4 192.168.152.100 kod notrap
disable monitor
■debian側で同期が取れたら。
stratum=3,
■vSRX側でもNTP同期
数分待つ。その間例えば次のように監視する。
「tcpdump -i vmnet1 -n -X -vvv udp port 123」
labunix@vSRX-node0> show configuration | display set | match ntp
set system ntp server 172.16.76.100
{primary:node0}
labunix@vSRX-node0> set date ntp
node0:
--------------------------------------------------------------------------
21 Dec 21:48:16 ntpdate[2263]: step time server 172.16.76.100 offset -0.000745 sec
node1:
--------------------------------------------------------------------------
21 Dec 21:48:16 ntpdate[2548]: step time server 172.16.76.100 offset -0.000654 sec
{primary:node0}
labunix@vSRX-node0> show ntp status
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Tue Mar 3 22:07:26 UTC 2015 (1)",
processor="i386", system="JUNOS12.1X47-D20.7", leap=00, stratum=4,
precision=-19, rootdelay=46.474, rootdispersion=1.350, peer=32164,
refid=172.16.76.100,
reftime=da2273e7.de5aede6 Mon, Dec 21 2015 21:49:43.868, poll=6,
clock=da2273ea.e895f4cd Mon, Dec 21 2015 21:49:46.908, state=3,
offset=0.000, frequency=0.000, jitter=0.079, stability=0.000
{primary:node0}
labunix@vSRX-node0> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*172.16.76.100 172.31.31.252 3 - 1 64 1 0.407 -1.005 0.096
{primary:node0}
■SNMPDの設定
$ sudo apt-get install -y snmpd snmptrapd ; \
sudo /etc/init.d/snmpd restart ; \
sudo tail -10 /var/log/syslog | awk -F\: '/line /{print $(NF-1),$NF}'
[ ok ] Restarting snmpd (via systemctl): snmpd.service.
Unknown token defaultMonitors.
Unknown token linkUpDownNotifications.
$ sudo sed -i -e 's/defaultMonitors/#&/' -e 's/linkUpDownNotifications/#&/' /etc/snmp/snmpd.conf
$ sudo /etc/init.d/snmpd restart ; sudo tail -10 /var/log/syslog | awk -F\: '/line /{print $(NF-1),$NF}'
[ ok ] Restarting snmpd (via systemctl): snmpd.service.
$ snmpwalk -v 1 -c public localhost | tail -1
End of MIB
■SNMP Trapdの設定
$ echo 'authCommunity log,execute,net private' | sudo tee -a /etc/snmp/snmptrapd.conf
authCommunity log,execute,net private
$ sudo sed -i -e 's/\(TRAPDRUN=\)no/\1yes/' /etc/default/snmptrapd; \
sudo /etc/init.d/snmpd restart; \
sudo /etc/init.d/snmptrapd restart
$ netstat -an | awk '/16[12] /'
udp 0 0 127.0.0.1:161 0.0.0.0:*
udp 0 0 0.0.0.0:162 0.0.0.0:*
■SNMPクライアントを使ってdebianからvSRXの情報を取得
labunix@vSRX-node0> show configuration | display set | match public
set snmp community public authorization read-only
{primary:node0}
$ snmpwalk -v 1 -c public 172.16.76.203 iso.3.6.1.2.1.2.2.1.2 | awk '/reth/'
iso.3.6.1.2.1.2.2.1.2.539 = STRING: "reth0"
iso.3.6.1.2.1.2.2.1.2.540 = STRING: "reth1"
iso.3.6.1.2.1.2.2.1.2.541 = STRING: "reth2"
iso.3.6.1.2.1.2.2.1.2.542 = STRING: "reth3"
iso.3.6.1.2.1.2.2.1.2.545 = STRING: "reth0.0"
iso.3.6.1.2.1.2.2.1.2.546 = STRING: "reth1.0"
iso.3.6.1.2.1.2.2.1.2.547 = STRING: "reth4"
iso.3.6.1.2.1.2.2.1.2.548 = STRING: "reth2.0"
iso.3.6.1.2.1.2.2.1.2.551 = STRING: "reth3.0"
■vSRXからのSNMP Trapをdebianで確認。
labunix@vSRX-node0> show configuration | display set | match private
set snmp trap-group private targets 172.16.76.100
{primary:node0}
labunix@vSRX-node0> request routing-engine login node 1
--- JUNOS 12.1X47-D20.7 built 2015-03-03 21:53:50 UTC
{secondary:node1}
labunix@vSRX-node1> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 2730]
{secondary:node1}
labunix@vSRX-node1>
*** FINAL System shutdown message from labunix@vSRX-node1 ***
System going down IMMEDIATELY
rlogin: connection closed
{primary:node0}
$ sudo tail -2 /var/log/syslog | sed -e 's/[:,] /"&\n/g'
Dec 21 22:12:29 jessie snmptrapd[17955]":
2015-12-21 22:12:29 172.16.76.203(via UDP":
[172.16.76.203]:50528->[172.16.76.100]:162) TRAP",
SNMP v1",
community private#012#011iso.3.6.1.4.1.2636.3.39.1.14.1 Enterprise Specific Trap (4) Uptime":
0:42:36.65#012#011iso.3.6.1.4.1.2636.3.39.1.14.1.1.15.0 = STRING":
"1"#011iso.3.6.1.4.1.2636.3.39.1.14.1.1.16.0 = STRING":
"4"#011iso.3.6.1.4.1.2636.3.39.1.14.1.1.17.0 = STRING":
"1"#011iso.3.6.1.4.1.2636.3.39.1.14.1.1.18.0 = STRING":
"Unhealthy"#011iso.3.6.1.4.1.2636.3.39.1.14.1.1.19.0 = STRING":
"0"
Dec 21 22:12:29 jessie snmptrapd[17955]":
2015-12-21 22:12:29 <UNKNOWN> [UDP":
[172.16.76.203]:50528->[172.16.76.100]:162]:#012iso.3.6.1.2.1.1.3.0 = Timeticks":
(255665) 0:42:36.65#011iso.3.6.1.6.3.1.1.4.1.0 = OID":
iso.3.6.1.4.1.2636.3.39.1.14.1.0.4#011iso.3.6.1.4.1.2636.3.39.1.14.1.1.15.0 = STRING":
"1"#011iso.3.6.1.4.1.2636.3.39.1.14.1.1.16.0 = STRING":
"4"#011iso.3.6.1.4.1.2636.3.39.1.14.1.1.17.0 = STRING":
"1"#011iso.3.6.1.4.1.2636.3.39.1.14.1.1.18.0 = STRING":
"Unhealthy"#011iso.3.6.1.4.1.2636.3.39.1.14.1.1.19.0 = STRING":
"0"#011iso.3.6.1.6.3.1.1.4.3.0 = OID":
iso.3.6.1.4.1.2636.1.1.1.2.96
■debianの名前解決の確認。
$ sudo apt-get install -y bind9
$ grep -A 2 'forwarders {' /etc/bind/named.conf.options
forwarders {
172.31.31.251;
};
$ sudo /etc/init.d/bind9 restart
$ dig juniper.com @127.0.0.1 | grep ^[A-z]
juniper.com. 513 IN A 192.107.16.40
$ nslookup juniper.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: juniper.com
Address: 192.107.16.40
■vSRXでの名前解決の確認
root@vSRX-node0> show configuration | display set | match name-server
set system name-server 172.16.76.100
set system name-server 192.168.152.100
{primary:node0}
root@vSRX-node0> show host juniper.com
juniper.com has address 192.107.16.40
juniper.com mail is handled by 5 mail.global.frontbridge.com.
juniper.com mail is handled by 5 juniper-com.mail.protection.outlook.com.
{primary:node0}
root@vSRX-node0% dig juniper.com | awk '/^[A-z]/'
juniper.com. 347 IN A 192.107.16.40
■ちなみに送信元は管理ポートのIPアドレスの様子。
$ sudo tcpdump -i eth1 -n udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
22:31:14.554410 IP 172.16.76.203.53881 > 172.16.76.100.53: 19718+ A? juniper.com. (29)
22:31:14.554717 IP 172.16.76.100.53 > 172.16.76.203.53881: 19718 1/13/0 A 192.107.16.40 (256)
■debian側でのsyslogの設定
$ sudo awk '/^\$.*udp|^\$.*UDP/ || /stop|fromhost/' /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
fromhost-ip, isequal, "172.16.76.203" /var/log/vSRX-HA1.log
& stop
fromhost-ip, isequal, "172.16.76.204" /var/log/vSRX-HA2.log
& stop
$ sudo touch /var/log/vSRX-HA{1,2}.log; \
sudo /etc/init.d/rsyslog restart
[ ok ] Restarting rsyslog (via systemctl): rsyslog.service.
$ netstat -an | grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp6 0 0 :::514 :::*
■vSRXからのsyslogの転送確認
root@vSRX-node1> show configuration | display set | match "syslog host"
set system syslog host 172.16.76.100 any warning
set system syslog host 172.16.76.100 facility-override local7
{primary:node1}
root@vSRX-node0> request routing-engine login node 1
--- JUNOS 12.1X47-D20.7 built 2015-03-03 21:53:50 UTC
root@vSRX-node1% cli
{secondary:node1}
root@vSRX-node1> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 2470]
*** FINAL System shutdown message from root@vSRX-node1 ***
System going down IMMEDIATELY
{secondary:node1}
■vSRXの1号機も試してみる。
root@vSRX-node0> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 2354]
{primary:node0}
root@vSRX-node0>
*** FINAL System shutdown message from root@vSRX-node0 ***
System going down IMMEDIATELY
■debianでの受け取りの確認
$ sudo tail -n 3 /var/log/vSRX-HA{1,2}.log | sed -e 's/: /&\n\t/g'
==> /var/log/vSRX-HA1.log <==
Dec 21 22:57:46 vSRX-node0 jsrpd[1091]:
JSRPD_UNSET_CS_MON_FAILURE:
Cold-sync Monitor failure recovered for redundancy-group 4
Dec 21 22:57:46 vSRX-node0 jsrpd[1091]:
JSRPD_HA_HEALTH_WEIGHT_RECOVERY:
Detected cluster1-Node0-RG4's health weight(255) fully recovery, send out SNMP trap
Dec 21 22:57:57 vSRX-node0 alarmd[1080]:
syslog:
unknown facility/priority:
ff04
==> /var/log/vSRX-HA2.log <==
Dec 21 22:57:46 vSRX-node1 jsrpd[1091]:
JSRPD_HA_HEALTH_WEIGHT_RECOVERY:
Detected cluster1-Node0-RG2's health weight(255) fully recovery, send out SNMP trap
Dec 21 22:57:46 vSRX-node1 jsrpd[1091]:
JSRPD_HA_HEALTH_WEIGHT_RECOVERY:
Detected cluster1-Node0-RG3's health weight(255) fully recovery, send out SNMP trap
Dec 21 22:57:46 vSRX-node1 jsrpd[1091]:
JSRPD_HA_HEALTH_WEIGHT_RECOVERY:
Detected cluster1-Node0-RG4's health weight(255) fully recovery, send out SNMP trap